Could you really lose one of your most important cyber assets because of something that you receive in the physical, postal, paper mail? Yes.
No, we’re not talking about the recent ransomware attack against Pitney Bowes. We’re talking about one of the potentially most devastating cyber-attacks your business could suffer. It all starts with a letter, and the consequences can be permanent.
Caught Off Guard
Let’s face it. We’re a lot more vigilant about cybersecurity when we’re sitting in front of our computers or tapping away on our smartphones… at least we’re supposed to be. However, when someone at your company is opening the mail, chances are that person’s guard is down. There’s a lot less to worry about. Why? It’s mainly because the cost the bad guys incur in sending a letter is so high compared to the cost of sending huge quantities of deceptive emails or setting up a fraudulent website.
In this case, cyber bandits are willing to incur the cost because the payoff, even from just a tiny percentage of their efforts, is well worth it to them.
High-Value Digital Asset
Most businesses have registered at least one internet domain name. You need a domain name if you’re going to have a website. Most businesses also use email addresses at their domain. (If you don’t, you should. We’re write about that some other time.) Choosing the right domain is important, and once you have it, and you’ve been using it for years, keeping that domain name under your control is even more important, far more important.
If you haven’t already, chances are you’ll receive a bogus domain name renewal notification in the mail. (Want to know what these letters look like? Keep reading.) The letter looks real and official. This kind of notice appears to be just and ordinary domain name renewal. However, it’s not from your current domain name registrar, the company you’re already using for that service. Instead, it’s from scam artists who are misrepresenting what they’re offering and have nothing to do with your domain name registration, your other internet services, or your company. They want you to think your domain is already registered with them and that it’s time to renew.
The notices often employ menacing warnings of consequences of not acting quickly. They imply or state that certain actions are required, but if you look a little closer, you’ll see their careful statements are really conditional and usually refer to something you’re already doing. For example, one such letter states, “You must renew your domain to retain exclusive rights to it,” and, “Failure to renew your domain name by the expiration date may result in a loss of your online identity…” While these statements are factually accurate, perhaps helping these digital desperados skirt legal trouble, these are things you’re already doing with the legitimate domain name registrar you’re already using. They’re hoping the ominous tone and sense of urgency will help you set aside reason and follow their instructions immediately. It apparently works, as not only have these virtual villains been doing this for years, but they’ve even caught some of our clients with their guard down. In each such case, we’ve successfully helped the client regain control over their domains, but that’s a costly process that is not guaranteed to succeed, and we’d rather you not need these services.
As we said, these scoundrels want you to sign their document and send payment. What happens if you do? Here are the possibilities.
- At the very least, they will take your money in exchange for whatever “service” the notice offers. If it’s domain name registration, and you transfer your domain name to their registrar, that fee will be quite a bit more than what most legitimate registrars charge. For example, we’ve seen registration fees between $50 and $200, whereas a lot of good, reputable registrars charge between $8 and $25 per year. Then they will transfer your domain to their registrar and probably make it very difficult and expensive to transfer it back. While this situation is bad, if this were the only risk involved, it might not be worth writing all this. Read on.
- Perhaps obviously, if you pay by providing your credit card information on their form, they now have that. Depending on their business model, or should we say modus operandi, there’s no telling what they’ll do with it. Charge you again for some other bogus service they’ll claim you authorized? Sell it on the dark web?
- This is the big one. There’s nothing stopping these guys from just stealing your domain. You might not just be transferring the registration of your domain to a different registrar. You might be transferring ownership of your domain to them! If the wording on the notice, or the wording on some “terms and conditions” web page referenced on the notice, is written to do this, you could be signing away your domain forever… or at least until you buy it back. If you do relinquish ownership of your domain, then getting it back is no different from acquiring any other domain you don’t currently own. The owner can ask any price they want, and you can pay it, negotiate, or walk away.
That’s how you can lose your company’s potentially most valuable digital asset, one that’s integral not just to your marketing, but also to your operations.
An Ounce of Prevention
What can you do about this? A lot! First and foremost, don’t react quickly to notifications you receive regarding your domains, whether they arrive through email or snail mail. Just statistically, most of them will be bogus. You might receive one legitimate message about this stuff per year from your registrar for each domain you own, whereas you might see several bogus messages per domain per year, making the legit ones a small minority. Further, most of the real messages you receive won’t require any action on your part. In fact, probably the only real messages from your registrar that do require a timely response will be those that notify you that your domain is renewing soon and your credit card on file is expired or invalid.
Here are more steps you can take:
- Determine who your domain name registrar is. You can do this through a WHOIS search.
- Determine whether you’re dealing with a reputable registrar. This is easy to suggest and harder to do if you’re not familiar with the players in this market. We can make help with this. Lists of such you see on the web might not be the best sources, as they are more often the result of reseller relationships than a real understanding or accurate representation of the registrars’ integrity and security. If you do decide to move your domains to a different registrar, be very careful, or consider getting help with this, so you don’t lose your domains.
- Make sure you can log in to your account at your registrar’s website. If you can’t, fix this by communicating with your registrar.
- Check your email address on file for your registrar account. (This is separate from the email address on file, also with your registrar, for your domain’s WHOIS contact information. We’ll address that a little later.) Make sure you can receive emails through this email address. Keep in mind that you or someone will need to monitor this email address for legitimate messages pertaining to your domain. If your level of human resource permits, establish an email address just for this and similar vendor management situations, and assign a responsible individual the task of checking this email account.
- Change your registrar account password to a long, complex, password. (We’ll talk more about passwords at a later date.)
- Turn on multi factor authentication, also known as MFA or two factor authentication, on your registrar account, preferably not using SMS or text messages. (SMS-based MFA is the least secure type of MFA, but still a whole lot better than no MFA, and we’ll address this topic at a later date, too.)
- If your registrar allows it, add one or more security questions to your account, including those that must be answered when you call them on the phone. This will not only increase the security of your authentication process with them, making it harder for someone else to impersonate you, but will also make it harder for someone else to change your password using the “forgot my password” feature. Also, consider providing bogus answers to the security questions so no one else can possibly know them. Too many people know the model of the first car you owned, your favorite grade school teacher’s name, or, perish the thought, your mother’s maiden name. If you do this, make sure you record these false answers carefully and securely so you yourself aren’t locked out.
- Turn on auto-renewal for all your domains. This is very important. If it’s not turned on, you could easily lose your domain. If it’s turned on for a domain you later decide you don’t want, the worst that can happen is you spend twenty bucks on nothing, a small price to pay for ensuring the security of the domains you do want.
- Turn on locks: Most registrars offer one or two simple lock settings, often called domain lock or transfer lock. These make it harder for malicious players to move your domain to a different registrar and into an account you don’t control. You might be wondering why this helps if the crooks are in your registrar account and can simply turn the locks off. It helps because a lot of domain theft happens without compromising the owner’s registrar account. Without these locks, the bad guys can initiate a transfer from their registrar account, never needing to be in your account. That is how the system for legitimate transfers is set up, believe it or not. (These simple locks are likely enough to make your domain harder to steal than most, just as hardware store locks might be good enough for your front door when so many of your neighbors don’t lock their doors at all, but behind the scenes there is a considerably more complex and even higher-security set of options that are offered by only a few registrars, should you require a very high level of security. If you love detail, you can read about these settings in this ICANN article.
- Check the payment methods on file with your registrar to make sure they are valid and not expired. Some registrars permit you to keep multiple credit cards on file with them. This is worth considering, as it provides a backup method of payment if your primary method fails when the registrar attempts to charge it, further minimizing the chances your domain won’t renew properly.
- Check the accuracy of the WHOIS contact information on file for your domain. This information is, or can be, separate from your account contact info, and can potentially be different for each domain you own, if that’s what you’ve specified. While the contact information on your account is important so your registrar can communicate with you, the contact information placed by your registrar in the WHOIS database is important to establish who really owns your domain. Keep in mind that this information is public. Anyone can search the WHOIS database to determine who owns a domain. Make sure your WHOIS contact info shows your name or your company’s name so you’re the true registrant, not a consultant, a web designer, or anyone else who might have helped you register the domain. If the WHOIS information does show someone else, proceed with caution. Consider that while this might have been done just as an administrative convenience at the time, it might also have been done in an effort on the part of that other party to be the true owner of a domain you thought was yours, and alerting them to the fact that you’ve discovered this might not be your best next step.
- Check and test the email address in the WHOIS information. Again, this is public information, so consider providing a separate email address here, not your primary individual email address, so you’re not dealing with a constant barrage of bogus email notices. (If any of our clients read this and check their WHOIS information, they will likely see one of our special vendor management email addresses on file so we can provide this important service for them. The remainder of the contact information will always be theirs so that they are clearly the true owner of their domains.)
- When you check your WHOIS info, you might see that your domain is registered privately, with no contact information exposed through the WHOIS database. A common misconception is that this affords a higher level of security for your domain. It does not. Instead, it provides greater security for you. Some individuals, and sometimes even businesses, want to operate a domain without its ownership being public information. Examples of this might include a news outlet with unpopular views, or a home-based business. While this can be important and sometimes well worth the trade-offs involved, it also comes with some potentially complicated issues. One little-known trade-off is that you might not really own a domain that you’ve registered privately. While a full discussion of this issue is beyond the interest of most readers of this article, we’ll write on this important topic soon. If you find your domain is registered privately and are concerned about that, feel free to contact us.
- Once you’ve checked and corrected your registrar account and domain settings, use the recurring reminder or appointment feature in your favorite calendaring software to remind you to check in on your domain each year about 30 days in advance of its renewal date. This way you’ll be sure that the payment method on file is valid and no one has tampered with your settings.
- Finally, and this gets a little technical, if you’re using a separate DNS hosting provider for your domain, not the DNS hosting features provided by your registrar, then take the account security steps above for that account, too. We won’t go any deeper into this here. If you’re using a separate DNS hosting service, you know who you are!
See It In Action
If you’ve made it this far, you now know quite a bit about securing your domains, the risks involved in responding to bogus domain-related notifications, and how to minimize them. Curious what some of those bogus letters that arrive in the mail look like? Reach out to us, and we’ll arrange to get a couple of actual samples to you. (Please understand that due to the sensitive nature of these materials, we’ll have to know who you are before we’ll be able to share this.)
Grant Hoover has been afraid to open his mail at Symphony Systems for over 30 years.